LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 06-25-2008, 05:08 PM   #16
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162

Does sshd's MaxAuthTries setting do what you want?
Code:
MaxAuthTries
   Specifies the maximum number of authentication attempts permitted per connection.  Once the number of
   failures reaches half this value, additional failures are logged.  The default is 6.
 
Old 06-25-2008, 05:25 PM   #17
gmartin
Member
 
Registered: Mar 2003
Location: PA
Distribution: Slackware 13.37 Linux Reg # 341245
Posts: 285

Rep: Reputation: 40
Quote:
Originally Posted by gilead View Post
Does sshd's MaxAuthTries setting do what you want?
Not quite. I'd like it to build a "hosts.deny"-like list so that after a number of failures, the connection couldn't be reestablished. If I understand this, it would log & drop the connection, but the far-seide could still restart the connection. Its and anti-hammering technique to prevent dictionary attacks.
 
Old 06-25-2008, 05:42 PM   #18
C-Sniper
Member
 
Registered: Dec 2006
Distribution: Slackware
Posts: 507

Rep: Reputation: 33
That is what Denyhosts does, it denies people after X-amount of unsuccessful tries. and then puts the IP in the hosts.deny file.
 
Old 06-25-2008, 05:49 PM   #19
gmartin
Member
 
Registered: Mar 2003
Location: PA
Distribution: Slackware 13.37 Linux Reg # 341245
Posts: 285

Rep: Reputation: 40
Exclamation

Quote:
Originally Posted by C-Sniper View Post
That is what Denyhosts does, it denies people after X-amount of unsuccessful tries. and then puts the IP in the hosts.deny file.
Sorry, I didn't realize that was what DenyHosts referred to. I assumed it was hosts.deny. Thanks for the tip!
 
Old 06-26-2008, 08:08 AM   #20
Ilgar
Member
 
Registered: Jan 2005
Location: Istanbul, Turkey
Distribution: Slackware 14.1, Slackware64 14.1
Posts: 930

Rep: Reputation: 96
I also had similar issues (lots of login attempts in the log files). I changed the ssh settings first but I also found the following Iptables based solution somewhere on the net. It should drop the packets from an IP address if there has been 3 unsuccessful login attempts in the last 60 seconds (I don't know much about iptables and what I just said could be wrong, sorry ) :

You put this in /etc/rc.d/rc.firewall and make the file executable:

Code:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --update --seconds 60 --hitcount 4 -j DROP
 
Old 07-18-2008, 04:04 AM   #21
Serapis
LQ Newbie
 
Registered: Mar 2004
Location: Germany
Distribution: Centos 5
Posts: 26

Rep: Reputation: 15
Quote:
Originally Posted by gmartin View Post
Is there a tool to wrap ssh in that will deny an ip after 'x' failed login attempts?
Yes there is: fail2ban

http://www.fail2ban.org

From their Website:
Quote:
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
 
Old 07-18-2008, 06:12 AM   #22
zux
Member
 
Registered: Jul 2006
Location: latvia
Distribution: slackware
Posts: 127

Rep: Reputation: 16
Quote:
Feel free to point out any flaws in my logic -- it would just mean I would change my security settings (and I'm sure would help everyone in the long run)
Well if you can get access to your router from the internet that means if someone breaks it he breaks into 192.168.1 (or whatever your subnet is). and that means that he can start hacking your ip from the router. If I understand it right it's just 2 boxes needed to be hacked before someone gets access to your pc, instead of one
 
Old 07-18-2008, 08:44 AM   #23
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026
Which is why running any network accessible services directly on your router/firewall box is a bad idea if you care about security.
 
Old 07-18-2008, 09:44 AM   #24
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 267

Rep: Reputation: 57
See the "ssh attack blocking plan" at http://maplepark.com/~drf/consults/linux.html It may work for you.

Dave
 
Old 07-18-2008, 09:15 PM   #25
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,298

Rep: Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722Reputation: 722
Quote:
Originally Posted by zux
Well if you can get access to your router from the internet that means if someone breaks it he breaks into 192.168.1 (or whatever your subnet is). and that means that he can start hacking your ip from the router. If I understand it right it's just 2 boxes needed to be hacked before someone gets access to your pc, instead of one
Supplement the previous plan with mac address filtering and static IPs (though mac addresses can be spoofed), close any services on the router, filter ssh etc. by mac addresses (iptables rules?) etc.

Security is a work-in-progress, not an end-solution.
 
Old 07-19-2008, 04:39 AM   #26
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 13.37, 14.0
Posts: 396

Rep: Reputation: 49
I get lots of attempts like this for years. Since I use strong passwords I get no troubles yet.

But some questions are still unclear for me.

1. If somebody tries to log with username what does not exist he can see the 'user dose not exist' answer?

2. If he tries to log an existing user with wrong password, can he see that the username is good but the password is not?

3. Is it possible to see information like wrong password attempts? I mean if somebody tries to log as root with bad password "password" can I make some list of the passwords what was tried? So if somebody tries more passwords I can list them?
 
Old 07-19-2008, 09:24 AM   #27
/dev/me
Member
 
Registered: May 2008
Distribution: Slackware 13
Posts: 116

Rep: Reputation: 20
Quote:
Originally Posted by hua
I get lots of attempts like this for years. Since I use strong passwords I get no troubles yet.

But some questions are still unclear for me.

1. If somebody tries to log with username what does not exist he can see the 'user dose not exist' answer?

2. If he tries to log an existing user with wrong password, can he see that the username is good but the password is not?
Nope. He'll get no feedback. Only the permission denied (publickey,password).
I do recommend you move your ssh port out of the range that nmap scans by default. Anywhere high up is good. My first month of running an ssh server gave me roughly 90,000 break in attempts. I moved the port up, and since then it stopped. I have not had an attack since (lazy script kiddies)


Quote:
Originally Posted by hua
3. Is it possible to see information like wrong password attempts? I mean if somebody tries to log as root with bad password "password" can I make some list of the passwords what was tried? So if somebody tries more passwords I can list them?
Interesting. I dunno.
 
Old 07-19-2008, 10:12 AM   #28
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 46
you can do sshd: ALL: DENY in hosts.deny, and then just add the hosts or IPs you want to allow in hosts.allow. that in itself can go a long way to locking it down, along with a firewall rule and using authenticated keys. and if you change the port, that's even another added layer of protection.

I use ssh constantly on my LAN, and those techniques seem to have kept me safe from any attacks.
 
Old 07-19-2008, 10:16 AM   #29
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
I do recommend you move your ssh port out of the range that nmap scans by default. Anywhere high up is good. My first month of running an ssh server gave me roughly 90,000 break in attempts. I moved the port up, and since then it stopped. I have not had an attack since (lazy script kiddies)
Please note that while this advice will probably keep the stone-cold idiots out of the system, it doesn't actually increase security. If you want to actually make ssh more secure, you need to follow the advice about strong passwords or keys, disallowing root or locking down the IP range that the system can be accessed from. If you just move the ssh port and don't take these sorts of steps then the people you really need to worry about will still be able to find ssh and exploit it.
 
Old 07-19-2008, 11:04 AM   #30
/dev/me
Member
 
Registered: May 2008
Distribution: Slackware 13
Posts: 116

Rep: Reputation: 20
Quote:
Originally Posted by Hangdog42
Quote:
I do recommend you move your ssh port out of the range that nmap scans by default. Anywhere high up is good. My first month of running an ssh server gave me roughly 90,000 break in attempts. I moved the port up, and since then it stopped. I have not had an attack since (lazy script kiddies)
Please note that while this advice will probably keep the stone-cold idiots out of the system, it doesn't actually increase security. If you want to actually make ssh more secure, you need to follow the advice about strong passwords or keys, disallowing root or locking down the IP range that the system can be accessed from. If you just move the ssh port and don't take these sorts of steps then the people you really need to worry about will still be able to find ssh and exploit it.
Yes, excellent! Moving the port up gives no enhanced security, it should be read as 'in addition to' not 'instead of'.

It keeps the logs a lot cleaner. Simple bot attacks wont pass this 'first hurdle' (note to script kiddies: man nmap && nam ssh should give you an idea of what you are doing wrong). A human with half a notion of what he's doing wont be bothered by port numbers.


But the latter now stick out in the logs.


Would it be safe to assume btw that anyone who has the knowledge to move ssh to a different port also has the knowledge to appreciate the value of long and complicated passwords and out-of-the-ordinary login names??
I mention the latter as brute force attacks often guess regular user names (of an Anglo-Saksen signature, ie a lot of patricia's, eric's and richard's, but not a lot of gŁnter's, wilhelm's or marietje's... giving us non-Engish a little unexpected edge in computer security )
 
  


Reply

Tags
fail2ban, sshd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with my first hack? oldstinkyfish Programming 1 11-13-2004 07:03 AM
Hack this... Pipewrench General 1 10-09-2004 08:02 PM
got hack? deepsix Linux - Software 1 09-16-2003 10:41 PM
what the hack is this? doublefailure Linux - Security 13 04-24-2003 01:23 PM
hack ? spooge Linux - Security 4 01-21-2003 12:54 PM


All times are GMT -5. The time now is 07:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration